Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth 2.0 Authorization Errors

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            OAuth 2.0 Authorization Errors

            Errors can occur during OAuth authorization. For example, a user denies access to the connected app or request parameters are incorrect. When errors occur, the authorizing server sends an error to the callback URL with an error code.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions

            OAuth authorization errors have different formats depending on the authorization flow. Here are examples from each of the supported OAuth flows.

            • This error is from an OAuth 2.0 web server flow, in which the user denied access to the connected app: 
              https://www.mycustomerorderstatus/code_callback.jsp?error=access-denied
            • Here’s the same error from an OAuth 2.0 user-agent flow:
              https://www.customercontactinfo.com/user_callback.jsp#error=access_denied
            • If an error occurs in the OAuth 2.0 JWT bearer flow, the authorizing server replies with a standard OAuth error response. The response includes the reasons why the token is considered invalid. For more information, see https://tools.ietf.org/html/rfc7523. This example shows a sample error response in JSON format.
              HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
  "error":"invalid_grant",
  "error_description":"Audience validation failed"
}
            • The following is an example of a returned error from an OAuth 2.0 refresh token flow.
              {"error":"invalid_grant","error_description":"expired access/refresh token"}
            • This sample error response occurred while processing the SAML bearer assertion.
              HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
  "error":"invalid_grant",
  "error_description":"Audience validation failed"
}

            • Here’s an example error from a SAML assertion flow. This flow includes an error URI, which is a link to the SAML Assertion Validator. The validator contains more information about the failure. The error URI is returned only when Salesforce can parse the assertion.

              {"error_uri":"https://yourInstance.salesforce.com/setup/secur/SAMLValidationPage.apexp",
"error":"invalid_grant","error_description":"invalid assertion"}

            Error Codes

            To help troubleshoot why an error occurred, review the following error codes and causes.

            Error Cause
            access_denied User denied access to the client app.
            authorization_pending For the device flow, the user hasn’t approved the device for access yet.
            CSRF Salesforce detected a possible Cross-Site Forgery Request (CSRF) attack. We couldn't verify that the request to log in came from the correct domain.
            ERROR_CREATING_USER

            One of these scenarios has occurred.

            • The username isn't unique.
            • A contact exists for that email address.
            • The user doesn't have a license.
            • You exceeded your org's storage limit.
            immediate_unsuccessful The immediate parameter is set to true, and the user isn’t logged in or hasn’t previously approved the client’s access.
            inactive_org Org is locked, closed, or suspended.
            inactive_user User is set to inactive by the org’s admin.
            invalid_app_access User isn’t approved by an admin to access this app.
            invalid_assertion_type Specified assertion type isn’t supported.
            invalid_client Client secret is invalid.
            invalid_client_id Client identifier is invalid.
            invalid_grant

            One of the following:

            • Invalid authorization code. For the SAML assertion flow, make sure that the client sends a URL-encoded assertion and assertion_type.
            • Invalid user credentials.
            • Invalid user.
            • Invalid assertion.
            • Invalid audience.
            • IP restricted or invalid login hours.
            • Indicates that the code_verifier value was invalid (not base64 encoded, for example) or wasn’t the valid verifier for the given code_challenge.
            • Indicates that a code_challenge wasn’t specified, so the code_verifier wasn’t expected but was specified.
            • User hasn’t approved the connected app.
            • Authentication failure.
            • For the device flow, the device flow isn’t enabled for the connected app or the Salesforce server isn’t able to grant an access token.
            • For the refresh token flow, the refresh or access token is expired.
            • For the client credentials flow, the request isn't supported for the host domain. For this flow, requests to https://login.salesforce.com and https://test.salesforce.com aren't supported. Use your My Domain URL instead.
            invalid_request

            One of the following errors.

            • HTTPS is required.
            • HTTP GET is required.
            • HTTP POST is required.
            • The code_challenge value was invalid, such as not being base64 encoded.
            • Flow doesn’t support and didn’t expect a code_challenge parameter.
            • Out-of-band isn’t supported.
            • The JWT bearer and SAML assertion bearer flows require a refresh_token scope. Install and preauthorize the app.
            • For the device flow, the device code specified in the polling request is invalid.
            • For the username-password flow, the scope parameter isn’t supported.
            • For the refresh token flow, the secret type isn’t supported.
            invalid_scope The requested scope is invalid, unknown, or malformed.
            NO_ACCESS Unable to find a user. For example, there's no username.
            No_OAuth_State The OAuth state was tampered with or is missing.
            No_Openid_Response User Info Endpoint URL is invalid.
            rate_limit_exceeded Number of login attempts has been exceeded.
            redirect_uri_mismatch Redirect URI mismatch with connected app definition.
            redirect_uri_missing Redirect URI not provided.
            REGISTRATION_HANDLER_ERROR For authentication providers, there's a problem with your registration handler Apex code.
            server_error The number of authorization requests from the client app exceeds the hourly limit.
            slow_down For the device flow, the client app is polling the authorization server more frequently than the recommended minimum interval.
            unsupported_response_type Requested response type isn’t supported.
             
            Loading
            Salesforce Help | Article